Salesforce Mobile App: Single Sign-On overview

The Salesforce Mobile App for iOS and Android behaves differently from a web browser, which means additional setup is required to ensure that Single Sign-On (SSO) works correctly.
SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between an Identity Provider (IDP) and a Service Provider (SP). SSO (Single Sign-On) allows users to log in once and access multiple applications.
If the best practices below are not applied, users may experience unpredictable or intermittent login issues. Even if some users or login attempts succeed, review all resolution steps to restore consistent functionality.
Important: The Salesforce Mobile App only supports Service Provider (SP) Initiated SSO. If your organization currently uses Identity Provider (IDP) Initiated authentication, you must switch to SP-Initiated for mobile SSO to work correctly.

This article helps administrators configure and troubleshoot Single Sign-On (SSO) for the Salesforce Mobile App. Follow the steps below to implement best practices and resolve the most common SSO errors.

Getting Started

See the Single Sign-On documentation for foundational setup guidance.

Organizations using Active Directory Federation Services (ADFS) to authenticate with SAML should follow: Configure SSO to Salesforce Using Microsoft AD FS as the Identity Provider.

With Premier Support, an Individual Coaching Session can be requested. See: Request an Individual Coaching Session.

Implement SSO for the Salesforce Mobile App

Enable My Domain

Enable the My Domain feature in your organization: My Domain Overview.
Add your SAML configuration to the Authentication Service in the My Domain Authentication Configuration section: Add Identity Providers to the My Domain Login Page.

Note: Users should enter their custom My Domain URL as a custom connection in the app. Do not use the "Use custom domain" link on the standard login page. See: Switch Login Server in Salesforce Mobile Apps.

Forms-Based Login Page

After entering the My Domain URL, the user should land on a web page with a form to enter their network username and password.
Windows Integrated Authentication (NTLM) and other credential prompts are not supported by the Salesforce Mobile App, and will result in a 401 error or a white screen.
For ADFS 2.0 setup guidance, see:
- Understanding the ADFS 2.0 Proxy
- Customizing the ADFS Forms-Based Login Page

RelayState

When the Salesforce Mobile App initiates SAML, it includes a RelayState value your Identity Provider must echo back to complete the OAuth setup.
For ADFS 2.0 RelayState support after all roll-up patches are installed, see Microsoft's Supporting Identity Provider Initiated RelayState.

HTTP POST or HTTP Redirect Bindings

Your IDP must support HTTP POST or HTTP Redirect bindings.
If using ADFS: use HTTP Redirect binding in Salesforce SSO settings; keep POST on the ADFS side.

Common Issues:

Full site interface appears inside the Salesforce Mobile App after SAML login

The RelayState is not being correctly returned by the Identity Provider.
Verify the Identity Provider Login URL in your SAML settings does not contain extra parameters.
Common affected IDPs: PING and ADFS.
- ADFS — Correct: {ADFS DOMAIN}/adfs/ls/ | Incorrect: {ADFS DOMAIN}/adfs/ls/idpinitiatedsignon.aspx?loginToRp=...
- PING — Correct: {IDP DOMAIN}/idp/SSO.saml2 | Incorrect: {IDP DOMAIN}/idp/startSSO.ping?PartnerSpId=...
See also: RelayState Character Limit.

401 error or white screen when entering My Domain URL

Caused by ADFS using Windows Integrated Authentication (NTLM), which is not supported by the Salesforce Mobile App.
An ADFS Administrator must configure a forms-based login page.
See: Configuring Intranet Forms-Based Authentication for Devices That Do Not Support WIA.

"InResponseTo: Invalid" SAML assertion error

This error indicates a mismatch in the SAML request/response flow. Verify that the SAML response from your Identity Provider matches exactly what was sent in the initial request from Salesforce.

Certificate-related errors

Most certificate issues cannot be resolved by Salesforce Support.
Internal SSO or IT teams must upload a new certificate or ensure the current certificate is properly installed on the device.

404 Error: File or directory not found

Typically caused by the HTTP Redirect binding extending the URL request beyond Microsoft IIS's 2048-character security limit.
Options:
- Increase the server limit. See: Request Limits in IIS.
- Switch the request binding to POST.

"An SSL (Secure Sockets Layer) error has occurred and a secure connection to the server cannot be made"

Upgrade iOS and the Salesforce Mobile App to the latest available versions. See: Requirements for the Salesforce App.
Salesforce recommends IT/Security teams upgrade SSO servers to support TLS 1.2.
This error can also occur if the Identity Provider's certificates are missing or have an incomplete certificate chain. Use SSL review tools to validate your certificate chain.

OAuth Error 1800

Caused when the Identity Provider mis-encodes or truncates the RelayState value in the SAML request.
Ensure the SAML response returns the RelayState exactly as provided in the original Salesforce request.

"Error 403: disallowed_useragent" when using Google SSO

Google Authentication using OpenID on iOS devices does not work within standard app webviews.
See the Advanced Authentication section below for a workaround.

Advanced Authentication

Some authentication methods — such as Google Authentication using OpenID on iOS or Azure/Intune Conditional Access policies — are not compatible with standard app webviews.

Workaround:

Use the My Domain feature and enable "Use the native browser for user authentication."
Step-by-step instructions: Customize Your My Domain Login Page for Mobile Auth Methods.

Note: Advanced authentication is not supported for logging into a Community through a mobile application.

For MDM (Mobile Device Management) and EMM (Enterprise Mobility Management) certificate-based authentication, see: Salesforce Mobile App MDM and EMM Support and Troubleshooting.